I don't know about this widget in particular, but in general it is worth knowing that XSS vectors come in many many flavours. Only a small percentage actually use the script tag.

One very important factor is that they are location-dependent. For example, a string that is xss-safe outside any tags, may not be safe inside a tag's attribute value, or within a delimited string that is inside a javascript block.

They can also be browser-dependent, as many exploit 'bugs' in the document parsing model.

To get a sense of the variety of different vectors that can be abused to produce malicious javascript injection, please see these two cheatsheets